Remove MailboxDatabase operation fails to clean up health mailboxes

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard EditionExchange Server 2013 Enterprise


When you try to remove a mailbox database from Exchange Server 2013 or Exchange Server 2016, you receive the following warnings. 




This attempt to remove the mailbox database fails to remove the AD User accounts of health mailboxes in the database, and this triggers the warning messages. 

The AD user accounts cannot be removed in this case because the Exchange Servers security group inherits explicit “deny” permissions for deleting objects in the Monitoring Mailboxes container.


To work around this issue, follow these steps to add an explicit “allow” permission to the Exchange Servers group on the Monitoring Mailboxes container. To do this, follow these steps:
  1. Open Active Directory Users and Computers.
  2. Click View, and then make sure that Advanced Features is selected. If it is not, select it.
  3. Navigate to the following container:

  4. Right-click Monitoring Mailboxes, click Properties, and then click the Security tab.
  5. Click Advanced on the Security tab. You now see the following dialog box:
  6. Click Add, type Exchange Servers, click Check Names, and then click OK.
  7. Select the Allow check box for the Delete subtree permission.
    Permission Entry Monitoring Mailboxes
  8. Click OK in all the remaining windows.
  9. Wait for AD replication

If you have Exchange deployment in a multi-AD domain environment, follow the preceding steps on all the domains in which Exchange servers are deployed.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.